Encryption

Introduction

To encrypt means to convert from a readable file using a password or key file to an unreadable
file (encrypted file). The reverse process is decrypting, you need the same password or key file
to get back the original readable file. Encrypted files are useful for storing sensitive data
or for sending sensitive data using insecure channels.

Decrypting without the password or key file is possible
using brute force attack (it tries all possible variants), but it's too expensive (rather unreal)
because of used key sizes (128 bits and more). Another possibility is to find successful attack
against the used encryption algorithm, but this should be also very very improbable (many
genius cryptographers are still trying). The easiest way how to decrypt such archive is to steal
your password or your key file (with password).

Encrypted Archives

The core of the encryption process is an encryption algorithm. It encrypts a block of
data (typically 64 or 128 bits) using a binary key (its size is 128 bits or more). The
binary key for all files in an encrypted archive is generated as a practically strong random
number (such number should be found only by a brute force attack) when you create an archive.

This randomly generated binary key is encrypted using a binary key produced from user's
password or key file and stored in the encrypted archive. This enables you to change a password
or key file for an encrypted archive without decrypting and encrypting of the whole archive.

See the Cipher Modes section below for two variants of splitting a file to blocks
required by encryption algorithm.

All files in an encrypted archive can be also compressed using Deflate algorithm (used also
in ZIP compression). The resulting archives are smaller, so transferring or storing of such
encrypted archives is easier. Compressing of an encrypted archive is not efficient, if
you want to use another compression (more efficient), you need to compress files before
encrypting.

You can also add a comment to an encrypted archive. It's not encrypted, so
it is readable without having the password of key file. All other data (also filenames)
are encrypted.

Practically Strong Random Numbers

Each encrypted archive has the binary key generated as a practically strong random
number. It means that no one can calculate this number. To obtain such random numbers,
the plugin needs to collect unpredictable values to seed the random number generator.
It collects system information, structure of heap allocations, coordinates and times
of your mouse pointer moves, and values and times of your key presses.

Supported Encryption Algorithms

AES (Advanced Encryption Standard) with 128-bit block size, key sizes: 128, 192, and 256 bits,
first published in 1998: it is also known as Rijndael, a block cipher adopted as an encryption
standard by the US government, developed by two Belgian cryptographers: Joan Daemen and
Vincent Rijmen,

Blowfish with 64-bit block size, key size 448 bits, first published in 1993: designed by
Bruce Schneier,

TrippleDES with 64-bit block size, key size 168 bits (192 bits including parity), first
published in 1978: based on using DES (Data Encryption Standard) three times, it solves
the DES problem of too small key size (56 bits key can be broken using brute force attack
in less than 24 hours today).

Key Files

The key file contains 2048 bits generated as a practically strong random number
(such number should be found only by a brute force attack). When you encrypt some
files using this key, required part of these random bits (e.g. 128 bits) is used
as a binary key for an encryption algorithm. The advantage of using key files is that
it is practically impossible to guess such random number. The disadvantage is that
you need to store this key in a secret place (anyone can decrypt your archives using
this key). To suppress this disadvantage, you can protect your key file with
a password (your key file is internally encrypted using a password). The suitable
place for storing key files is e.g. USB stick (still in your pocket, like other keys).
In all cases, make the backup of your key files and place it to some secure place,
because if you lost these keys, files in encrypted archives are lost.

Passwords

If you decide to use a password (usually weaker protection than key files), we
recommend to use multi-line password (the maximal password size is 10240 characters)
or password with numbers, special characters, etc. All password characters are used,
we use a hash algorithm to convert your password to a binary key used by
an encryption algorithm.

Supported Hash Algorithms

SHA-1 and SHA-2 (Secure Hash Algorithm), first published in 1995 and 2004: designed by
the National Security Agency (NSA) and published as a US government standard,

HAVAL, first published in 1992: invented by Yuliang Zheng, Josef Pieprzyk, and Jennifer
Seberry.

Cipher Modes

All supported encryption algorithms work with blocks of data with fixed size
(64 or 128 bits). The plugin must split data to such blocks. It supports two modes:
ECB (Electronic Codebook) and CBC (Cipher Block Chaining). In ECB mode, data is padded
out to a multiple of the block size, broken into blocks, each of which is encrypted
independently. In CBC mode, prior to encryption, each block of data is XOR-ed with the
encrypted prior block. It means that CBC is more secure than ECB because it effectively
scrambles data prior to each encryption step. The disadvantage of CBC is that the
encryption of a data block becomes dependent on all the blocks prior to it.

Shredding Files and Cleaning Disk Free Space

When you delete a file, only reference to its data is deleted and the data itself
remains on disk until another file's data overwrites it. You can use Undelete utility
(e.g. the Undelete plugin) to recover deleted file. If you want to prevent undeleting
of files, you need to shred them. It makes recovering of deleted files very difficult
if not impossible (surely impossible for common undelete utilities).

If you want to be sure that all your deleted files (also temporary files created
by applications) are irreversibly deleted, you should clean all disk free space. It
makes recovering of any deleted files impossible at least for common undelete utilities.

Shredding Methods

Gutmann algorithm, 26 passes: this is the most secure (and slowest) method. It overwrites
file data with carefully selected patterns, each of which addresses different disk encoding
scheme (MFM, RLL, etc.). The method also uses several random passes. It should not be
possible to recover the original data.

DOD (Department of Defense) 5220.22-M, 3 passes: the file data will be overwritten with
zeros, then with the character 0xFF, and finally with random characters. This method is
faster, but less secure, and there are chances hardware data recovery may succeed.

Random Overwrite, custom number of passes (only 1 pass by default): this is the fastest
and least secure method, which simply overwrites file data with random characters. It still
prevents the data to be recovered by software means, however, using special hardware, the
original data can be traced. (Note: this is the only method suitable for compressed drives.)

Zeros Overwrite, 1 pass: Please DON'T use this method if you are looking for shredding.
This method is included only for special purpose: filling free disk space with zeros.
Such disk can be compressed very well during image backup. Available only in Clean
Disk Free Space command.

Network and SSD Drives

It is not technically possible to shred files or free space on network and SSD drives. When
you try to perform shredding operation on such drives, warning message will be displayed.
Please don't use such drives for storing sensitive data you may need to shred.